#!/bin/sh

# 注意：脚本中使用命令过于粗暴，使用前请备份关键数据，谨慎修改！

SELF="remove_virus.sh"
VIRUS_PROC_KEYWORDS="kinsing|pastebin|watchdogs|watchbog|ksoftirqds|kthrotlds"
VIRUS_CONF_KEYWORDS="pastebin"

clear_virus_config(){
    echo "查找目录：$1"
    cmd=`grep -lrE $VIRUS_CONF_KEYWORDS $1 --exclude=.viminfo --exclude=$SELF`
    array=($cmd)
    echo "发现病毒文件数："${#array[@]}
    if [ ${#array[@]} == 0 ] ; 
    then
    	echo  "病毒已经彻底清除"
    else
    	echo "按关键字删除病毒……"
	`sed -i '/pastebin/d' ${cmd}`
    	# 删除完毕，再次查找
    	echo "病毒删除完毕，验证删除结果"
  
        array=(${cmd})  
    	if [ ${#array[@]} == 0 ] ; 
    	then
    	    echo  "病毒已经彻底清除"
    	else
    	    echo  "无法彻底删除，请清理病毒进程"
    	fi
    fi 
}

kill_virus_process(){
    cmd="ps -ef|grep -E '$VIRUS_PROC_KEYWORDS'|grep -vE \"grep|$SELF\""
    pid=`$cmd|awk '{print $2}'`
    array=($pid)
    if [ ${#array[@]} != 0 ] ;
    then
        echo "病毒进程数量：${#array[@]}"
        echo "终止病毒进程"
    	`kill -9 $pid`
    else
        echo "未发现病毒进程"
    fi
}

# 屏蔽病毒下载IP地址 http://185.92.74.42/s.sh
iptables -A OUTPUT -d 185.92.74.42 -j REJECT

# 取消防删锁定
chattr -iua /etc/crontab /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /tmp /var/tmp
chmod -R u+w /tmp /var/tmp
rm -rf /var/tmp/* /tmp/kdevtmpfsi

# 关闭定时任务服务
systemctl stop crond
systemctl disable crond

# 杀进程
kill_virus_process
# 删除配置
clear_virus_config /etc
clear_virus_config /root

